Copy files from host to guest #1041
Conversation
devimc
force-pushed
the
topic/no9pCopyFiles
branch
from
ea1982f to
96c3e34
Compare
| if !caps.is9pSupported() { | ||
| return nil | ||
| } | ||
|
|
||
| // Adding the shared volume. | ||
| // This volume contains all bind mounted container bundles. |
There was a problem hiding this comment.
Please extend the comment here, saying that this code path should only be executed when 9p is supported.
virtcontainers/kata_agent.go
Outdated
| @@ -1003,6 +1054,14 @@ func (k *kataAgent) createContainer(sandbox *Sandbox, c *Container) (p *Process, | |||
|
|
|||
| k.handleShm(grpcSpec, sandbox) | |||
|
|
|||
| caps := sandbox.hypervisor.capabilities() | |||
| if !caps.is9pSupported() { | |||
There was a problem hiding this comment.
I would do this check and the file copy from c.mountSharedDirMounts() instead. This means we centralize everything in the container.go implementation. But that also means that you need to define copyFile() as part of the agent interface, which makes sense to me as you're asking to copy a file to the guest through the agent support.
devimc
force-pushed
the
topic/no9pCopyFiles
branch
from
96c3e34 to
bd2de8c
Compare
|
I am having mixed-thoughts regarding the capability flag for the hypervisor. I would like this to be .toml based in addition, perhaps. WDYT? @mcastelino @sboeuf @devimc @sameo |
Mid-term, definitely. If we think about real use cases, then we might need to cover the case where we want to use QEMU without 9pfs (even if 9p is supported), which means the internal decision should be based on hypervisor capabilities AND input from user (configuration.toml basically). Long term, maybe we simply want to get rid of 9p, and we could call this capability |
virtcontainers/capabilities.go
Outdated
| caps.flags |= hotplugUnsupported | ||
| } | ||
|
|
||
| func (caps *capabilities) is9pSupported() bool { |
There was a problem hiding this comment.
@egernst instead of calling this is9pSupported, should this not be something more generic. 9p is one way to share files between host and the VM?
virtcontainers/capabilities.go
Outdated
| @@ -9,6 +9,8 @@ const ( | |||
| blockDeviceSupport = 1 << iota | |||
| blockDeviceHotplugSupport | |||
| multiQueueSupport | |||
| hotplugUnsupported | |||
| plan9FSUnsupported | |||
There was a problem hiding this comment.
@egernst instead of calling this is9pSupported, should this not be something more generic. 9p is one way to share files between host and the VM?
virtcontainers/kata_agent.go
Outdated
| caps := sandbox.hypervisor.capabilities() | ||
| if !caps.is9pSupported() { | ||
| // 9p is not supported, files must be copied | ||
| if err := k.copyFiles(c.mounts, newMounts); err != nil { |
There was a problem hiding this comment.
@egernst does this mean even files coming in from tmpfs, secrets all of them get copied? What happens to volumes.
| // This is where at least some of the host config files | ||
| // (resolv.conf, etc...) and potentially all container | ||
| // rootfs will reside. | ||
| sharedVolume := &grpc.Storage{ |
There was a problem hiding this comment.
@egernst what is the else case here. Do we lose support for volumes?
Yes, this will decouple it from the specific implementation. |
devimc
force-pushed
the
topic/no9pCopyFiles
branch
from
bd2de8c to
aab7c26
Compare
|
Depends-on kata-containers/agent#433 |
devimc
force-pushed
the
topic/no9pCopyFiles
branch
from
aab7c26 to
cc72c85
Compare
|
/test |
|
@devimc kata-containers/agent#433 got merged! Could you please update this PR :) |
devimc
force-pushed
the
topic/no9pCopyFiles
branch
from
cc72c85 to
efe4298
Compare
virtcontainers/container.go
Outdated
| // bind mount it in the shared directory. | ||
| caps := c.sandbox.hypervisor.capabilities() | ||
| if !caps.isFsSharingSupported() { | ||
| // filesystem sharing is not supported, files must be copied |
There was a problem hiding this comment.
How about converting this comment into a log call?
|
|
||
| func (h *hyper) copyFile(src, dst string) error { | ||
| // hyperstart-agent does not support copyFile | ||
| return nil |
There was a problem hiding this comment.
Shouldn't this be...
| return nil | |
| return errors.New("hyperstart-agent does not support copyFile") |
There was a problem hiding this comment.
based on other implementations https://github.com/kata-containers/runtime/blob/master/virtcontainers/hyperstart_agent.go#L999-L1007
I don't think so
virtcontainers/kata_agent.go
Outdated
|
|
||
| err := unix.Stat(src, &st) | ||
| if err != nil { | ||
| return fmt.Errorf("Could get file %s information", src) |
There was a problem hiding this comment.
| return fmt.Errorf("Could get file %s information", src) | |
| return fmt.Errorf("Could not get file %s information: %v", src, err) |
virtcontainers/kata_agent.go
Outdated
|
|
||
| b, err := ioutil.ReadFile(src) | ||
| if err != nil { | ||
| return fmt.Errorf("Could not read file %s", src) |
There was a problem hiding this comment.
Again, it would help to include the error so the user can see why the read failed.
devimc
force-pushed
the
topic/no9pCopyFiles
branch
2 times, most recently
from
996970e to
d038fd8
Compare
Brings support to copy file from host to guest shortlog: 169d755 protocols/grpc: implement function to copy files ff87c26 virtio-mmio: Add support for virtio-mmio blk devices b9c5d5b libcontainer: use /run as root containers path 092f1a0 block: add support of block storage driver "nvdimm" Signed-off-by: Julio Montes <[email protected]>
devimc
force-pushed
the
topic/no9pCopyFiles
branch
2 times, most recently
from
c39b991 to
483aab9
Compare
|
/test |
Not all hypervisors support filesystem sharing. Add capability flags to track this. Since most hypervisor implementations in Kata *do* support this, the set semantices are reversed (ie, set the flag if you do not support the feature). Fixes: kata-containers#1022 Signed-off-by: Eric Ernst <[email protected]> Signed-off-by: Julio Montes <[email protected]>
Files are copied over gRPC and there is no limit in size of the files that can be copied. Small files are copied using just one gRPC call while big files are copied by parts. Signed-off-by: Julio Montes <[email protected]>
devimc
force-pushed
the
topic/no9pCopyFiles
branch
from
483aab9 to
87509c5
Compare
|
@egernst changes applied, thanks |
|
/test |
|
@jodh-intel changes applied, thanks |
There was a problem hiding this comment.
"Neither create shared directory nor add 9p device if hypervisor doesn't support
file sharing since files will be copied over gRPC using agent's copyFile
function."
Suggested reword:
"If the hypervisor does not support filesystem sharing (for example, 9p), files will be copied over gRPC using the copyFile request function"
If the hypervisor does not support filesystem sharing (for example, 9p), files will be copied over gRPC using the copyFile request function. Signed-off-by: Julio Montes <[email protected]>
Copy files to contaier's rootfs if hypervisor doesn't supports filesystem sharing, otherwise bind mount them in the shared directory. see kata-containers#1031 Signed-off-by: Julio Montes <[email protected]>
devimc
force-pushed
the
topic/no9pCopyFiles
branch
from
87509c5 to
378d815
Compare
|
@egernst ok, sounds good |
| @@ -63,6 +65,7 @@ var ( | |||
| shmDir = "shm" | |||
| kataEphemeralDevType = "ephemeral" | |||
| ephemeralPath = filepath.Join(kataGuestSandboxDir, kataEphemeralDevType) | |||
| grpcMaxDataSize = int64(1024 * 1024) | |||
There was a problem hiding this comment.
Good question! @devimc - is this just a restriction added to avoid a DoS or something?
There was a problem hiding this comment.
In other words: Is this related to any gRPC limitations?
There was a problem hiding this comment.
yes, it's to avoid DoS attacks, I'd prefer to use small chunks, but I can change it if you want
There was a problem hiding this comment.
according with this https://godoc.org/google.golang.org/grpc#MaxRecvMsgSize the default size 4MB , I can use it but if the value changes to 1000MB probably we'll face DoS attacks
| @@ -63,6 +65,7 @@ var ( | |||
| shmDir = "shm" | |||
| kataEphemeralDevType = "ephemeral" | |||
| ephemeralPath = filepath.Join(kataGuestSandboxDir, kataEphemeralDevType) | |||
| grpcMaxDataSize = int64(1024 * 1024) | |||
There was a problem hiding this comment.
Good question! @devimc - is this just a restriction added to avoid a DoS or something?
|
/test |
No description provided.